Forking Shai-Hulud: RedHat npm Packages Are The Next Victim After GitHub Actions Compromise and Worm

RedHat recently fell victim to an npm worm attack that compromised numerous packages in the @redhat-cloud-services npm organization, replacing the Dune theme with Greek Mythology elements, and is suspected to be a variant of the Mini Shai-Hulud malware. This attack utilizes multi-stage credential harvesters that activate through preinstall hooks during npm installations, targeting secrets from various platforms including GitHub Actions, AWS, GCP, Azure, Kubernetes, and more. The breach was facilitated by compromised GitHub Actions OIDC tokens, and the malicious packages were distributed through the RedHatInsights/javascript-clients repository. The worm, which modifies its approach to seek more cloud environment credentials, exfiltrates data by reading directly from GitHub Actions Runner’s memory and collecting various credentials, such as AWS and Azure tokens, npm publish tokens, and .env files, potentially impacting CI/CD environments significantly.